Method and system for establishing a communications pipe between a personal security device and a remote computer system

ABSTRACT

The present invention provides a method and a system for establishing a communications path (the “pipe”  75 ) over a communications network ( 45 ) between a Personal Security Device (PSD  40 ) and a Remote Computer System ( 50 ) without requiring means for converting high-level messages such as API-level messages to PSD-formatted messages such as APDU-formatted messages (and inversely) to be installed on a local Client ( 10 ) in which a PSD ( 40 ) is connected.

RELATED APPLICATIONS

This application is a 371 US National Stage application ofPCT/EP02/03928 filed Apr. 9, 2002, which is a continuation of U.S.application Ser. No. 09/844,246 filed Apr. 30, 2001, now abandoned.

1. FIELD OF INVENTION

The present invention relates to a method and system for establishing acommunications path (the “pipe”) over a communications network between aPersonal Security Device (PSD) and a Remote Computer System.

2. BACKGROUND OF INVENTION

The current art involving the use of Personal Security Devices (PSD),for example, smart cards, subscriber identity module (SIM) cards,biometric devices, or combinations thereof, requires specializedmessaging software or firmware to be installed on a local Client inwhich the PSD is connected. These specialized routines are used totranslate messages from high-level messaging formats into low-levelmessaging formats (i.e. into PSD-formatted messages). An example of suchroutines is what is generally known in the art as an ApplicationProtocol Data Unit (APDU) interface. Installing and maintaining APDUinterfaces for a large number of local Clients can be a substantial andcostly challenge in a multi-user organization. In addition, Clientresources such as disk space, memory and computing resources areunnecessarily tied up by the software, which could be better utilizedfor other purposes.

Another significant limitation of the current art is that securitymechanisms are implemented on a local Client to gain access to securefunctions contained within a connected PSD. In a typical securetransaction with a PSD, a request is generated in the local Client byway of high-level software such as API-level software, which issubsequently encrypted in the Client and translated into APDU messagingformat using an APDU interface, and sent to the PSD to access theintended secure function.

The potential exposure of secure information weakens the basicfunctionality of current PSDs, which is to protect private keys andother proprietary information from being unnecessarily disclosed. Thelimitations of the current art are such that localized key generatingmechanisms, APDU interface software and transactions involving thissoftware are potentially vulnerable to compromise by unauthorizedprograms running on the local Client or by other illicit means intendingto monitor the key generation process and thus gaining access tosecurity codes, algorithms and other sensitive data contained within thePSD or elsewhere. These limitations are magnified in a multi-userenvironment where the ability to control unauthorized access to localClients and vulnerable software contained therein is increased.

3. SUMMARY OF INVENTION

It is an object of the present invention to provide a method forestablishing a communications path (the “pipe”) over a communicationsnetwork between a Personal Security Device (PSD) and a Remote ComputerSystem without requiring means for converting high-level messages suchas API-level messages to PSD-formatted messages such as APDU-formattedmessages (and inversely) to be installed on a local Client in which aPSD is connected.

This object is achieved with a method for establishing a communicationspipe between at least one PSD and at least one Remote Computer Systemover a network using at least one Client as a host to said at least onePSD, said at least one Client and said at least one Remote ComputerSystem being in functional communications using a packet-basedcommunications protocol over said network, said method comprising thesteps of:

-   -   generating, retrieving or receiving, in said at least one Remote        Computer System, a PSD-formatted request message,    -   encapsulating, in said at least one Remote Computer System, said        PSD-formatted request message with said packet-based        communications protocol, thus producing an encapsulated        PSD-formatted request message,    -   transmitting said encapsulated PSD-formatted request message,        using said packet-based communications protocol, from said at        least one Remote Computer System to said at least one Client via        said network,    -   extracting, in said at least one Client, said PSD-formatted        request message from said encapsulated PSD-formatted request        message,    -   transmitting said PSD-formatted request message from said at        least one Client to said at least one PSD,    -   processing, in said at least one PSD, said PSD-formatted request        message, thus producing an PSD-formatted response message,    -   transmitting said PSD-formatted response message from said at        least one PSD to said at least one Client,    -   encapsulating, in said at least one Client, said PSD-formatted        response message with said packet-based communications protocol,        thus producing an encapsulated PSD-formatted response message,    -   transmitting said encapsulated PSD-formatted response message,        using said packet-based communications protocol, from said at        least one Client to said at least one Remote Computer System via        said network,    -   extracting, in said at least one Remote Computer System, said        PSD-formatted response message from said encapsulated        PSD-formatted response message.    -   processing said PSD-formatted response message in said at least        one Remote Computer System.

The local Client acts as a transparent host which allows a connected PSDto communicate with one or more Remote Computer Systems over a network.

The communications pipe generation may be initiated automatically uponconnection of a PSD to a local Client, by a Client side request foraccess to information contained on another networked Client or RemoteComputer System, or by a Remote Computer System requesting access to aPSD.

In this invention, PSD-formatted messages are preferentiallyencapsulated into a common communications protocols, such as TCP/IP,WAP, etc. which are used to communicate between one or more Clients withone or more Remote Computer Systems. A program installed on each localClient and each Remote Computer System separates the incoming low-levelPSD-formatted messages from the incoming message packets and routes thePSD-formatted messages to a connected PSD via its hardware deviceinterface. In a multi-tasking operating environment, the Client is freeto perform other data processing functions while transactions between aPSD and a Remote Computer System using the pipe are executed in thebackground. In situations where a firewall may mask individual Clientnetwork addresses, remote computer based pipe software should beinstalled on the proxy server. Other solutions common to virtual privatenetworking may also be employed.

With this invention, conversion of high-level messages such as API-levelmessages to PSD-formatted messages such as APDU-formatted messages, andinversely, is made in the Remote Computer System. By moving means forconverting high-level messages such as API-level messages toPSD-formatted messages such as APDU-formatted messages (and inversely)from numerous local Clients to one or a few secure Remote ComputerSystems, the overall data processing system is much easier to maintainand significantly less susceptible to unauthorized access or compromise.

For purposes of this invention a Client may be any intelligent devicesuch as a personal computer, laptop, cellular telephone, Personal DataAssistant (PDA), etc. which provides the network communicationsinterface between a PSD and a Remote Computer System. A Remote ComputerSystem includes any intelligent device which provides the necessarycommunications interface between networked devices and a PSD.

In a first embodiment of the invention, a communications pipe is formedwhen a Remote Computer System generates the proper PSD-formattedmessages which are encapsulated into an agreed upon communicationsprotocol, transmitted (broadcast for general polling or specific IPaddress of Client) over a network, invoking a reply by one or more PSDswhich is (are) subsequently received by the requesting Remote ComputerSystem. The latter described pipe formation process is equivalent to ahandshake between a PSD and a Remote Computer System.

This first embodiment of the invention is useful in determining thestatus, identification and other derived information related toresponding PSDs. For example, an APDU formatted polling command may betransmitted from the Remote Computer System over a network to all PSDscapable of receiving the command requesting each PSD to return itsunique identification number or some other non-proprietary information.Based on the replies received, it is possible to determine which PSDsare active, their relative location, length of time each PSD has beenactive, network traffic information, etc. This first embodiment of themethod of the invention does not require the use of securecommunications protocols.

In a second embodiment of the invention, referred to as secure pipegeneration, security mechanisms are employed to protect againstunauthorized disclosure of proprietary information. The secure pipegeneration process is equivalent to the pipe generating processdescribed above but includes the added steps of generatingcryptographically secured PSD-formatted messages, which are thenencapsulated into a secure communications protocol, examples of whichinclude TCP/IP with secure socket layer (SSL) encryption, IPSEC, etc. togenerate a secure pipe between a Remote Computer System and a PSD.

In this second embodiment of the invention, PSD-formatted messages areencrypted using the proper keys to unlock secure applications and datacontained within the secure domain of a PSD. Response PSD-formattedmessages containing sensitive or proprietary information are likewiseencrypted by the PSD and decrypted by the Remote Computer System.

The cryptographically secured PSD-formatted messages are encapsulatedinto outgoing message packets using the agreed communications secureprotocol, sent over a network and routed through the PSD hardwareinterface by the Client and into the PSD as before. This secondembodiment of the invention is useful in initializing a PSD,personalizing a PSD, accessing secure information contained within aPSD, changing, upgrading or deleting proprietary algorithms or datacontained in a PSD, authenticating an end user, etc.

It is another object of the invention to provide a system forimplementing the above-mentioned method.

4. BRIEF DESCRIPTION OF THE DRAWINGS

A more complete understanding of the present invention may beaccomplished by referring to the following Detailed Description andClaims, when viewed in conjunction with the following drawings:

FIG. 1—is a generalized system block diagram for implementing presentinvention (first embodiment),

FIG. 2—is a detailed block diagram depicting initiating a communicationspipe where non-proprietary information is being requested (firstembodiment),

FIG. 3—is a detailed block diagram depicting establishing acommunications pipe where non-proprietary information is being requested(first embodiment),

FIG. 4A—is a generalized system block diagram for implementing presentinvention which includes software-based security mechanisms (secondembodiment),

FIG. 4B—is a generalized system block diagram for implementing presentinvention which includes HSM based security mechanisms (secondembodiment),

FIG. 5—is a detailed block diagram depicting initiating a securecommunications pipe (second embodiment), and

FIG. 6—is a detailed block diagram depicting establishing a securecommunications pipe (second embodiment).

5. DETAILED DESCRIPTION OF THE INVENTION

This invention provides a method and system to establish a remotecommunications pipe over a network between a Remote Computer System anda Personal Security Device connected to a host local Client. In thisinvention, Personal Security Devices (PSD) are intelligent devices suchas smart cards, biometric devices, Subscriber Identification Module(SIM) cards, or combinations thereof having a microprocessor, runtimeoperating environment, an input/output communication port, memorystorage including nonvolatile memory and random access memory andembedded software applications.

Two embodiments of the invention are described; a first embodiment(FIGS. 1 to 3) in which security mechanisms are not employed and asecond embodiment (FIGS. 4A to 6) where security mechanisms areemployed.

Note also that the following description of the invention will be basedon a PSD which receives and sends APDU-(Application Protocol DataUnit)-formatted messages.

APDU messaging format, which is per se known in the art, is alower-level messaging format which allows a PSD to communicate withhigher-level applications located in devices to which the PSD is to beconnected.

It must be clear that the present invention is not limited to the use ofan APDU messaging format, and that any other low-level messaging formatthat can be processed by the PSD enters within the scope of the presentinvention.

In the appended claims, a message having such a format will bedesignated by the generic expression “PSD-formatted message”.

5.1. Detailed Description of a First Embodiment of the Invention

Referring now to FIG. 1, a generalized system block diagram of a firstembodiment of the invention depicted. The various layers shown are basedon the Open System Interconnection model (OSI). For simplicity, certainlayers common to both the Client and Remote Computer System are notshown and should be assumed to be present and incorporated into adjacentlayers. The layers common to both a Client and Remote Computer Systeminclude:

-   -   an Applications Layer 90 which generally contains higher level        software applications (e.g. word processor) and a user interface        and such as a Graphical User Interface (GUI),    -   an Applications Programming Interface (API) Layer 100 for        processing and manipulating data for use by either higher or        lower level applications,    -   a Communications Layer 105 which contains communications        programs including secure communications capabilities, which        enable a Client to communicate with a Remote Computer System to        exchange information in an agreed upon protocol and visa versa,    -   an Operating System Layer 110 or equivalent runtime environment,        which controls the allocation and usage of hardware resources        such as memory, Central Processing Unit (CPU) time, disk space,        hardware I/O port assignments, peripheral device management,    -   a Hardware Drivers Layer 120 which permits the operating system        to communicate and control physical devices connected to the        Client's or Remote Computer System's hardware I/O bus,    -   and a Physical Device Layer 130 where Network Interface Cards        (NIC) 140 provide the physical connections to a        telecommunications network 45. Other Hardware Devices 80 may        also be connected at this Layer.

5.1.1. Client Specific Features

A specialized program contained within the API Layer 100 of the Clientand referred to as a Pipe Client 15, interacts with CommunicationsPrograms contained within the Communications Layer 105. The Pipe Client15 functions to separate encapsulated APDU requests from incomingmessaging packets received from a network 45 for processing by a locallyconnected PSD 40. Alternately, outbound APDU responses generated by alocally connected PSD 40, are processed by the Pipe Client forencapsulation into an agreed upon communications protocol byCommunications Programs contained within the Communications Layer 105.

A software driver contained within the Communications Layer 105 of theClient and referred to as a PSD Software Interface 20 directs incomingAPDUs communicated by the Pipe Client 15 into the I/O device portconnecting the PSD Hardware Device Interface 25 to the locally connectedPSD 40. Outgoing APDUs generated by the PSD are communicated through thePSD Hardware Device Interface 25 through the I/O device port to the PSDSoftware Interface 20 and subsequently communicated to the Pipe Client15.

5.1.2. Remote Computer System Specific Features

A first specialized program contained within the API Layer 100 of theRemote Computer System 50 and referred to as an APDU Interface 55,translates higher level messaging formats into low-level APDU messagingformat required to communicate with a PSD 40. Alternately, the APDUInterface 55 translates incoming APDU responses received from a PSD 40into higher level messaging formats used by programs in the API Layer100 and Applications Layer 90 of the Remote Computer System.

A second specialized program contained within the API Layer 100 of theRemote Computer System 50 and referred to as a Pipe Server 70 interactswith Communications Programs contained within the Communications Layer105. The Pipe Server 70 functions to separate encapsulated APDU requestsfrom incoming messaging packets received from a network 45 forprocessing by the APDU Interface 55. Alternately, outbound APDU requeststranslated by the APDU Interface 55 are processed by the Pipe Server forencapsulation into an agreed upon communications protocol byCommunications Programs contained within the Communications Layer 105.

5.1.3. Other Inventive Features

The connection 30 between the PSD 40 and PSD Hardware Interface 25includes but is not limited to traditional electrical or optical fiberconnections or wireless means including optical, radio, acoustical,magnetic, or electromechanical. Likewise the connection 75 between theClient 10 and the network 45, and the connection 75 between the RemoteComputer System 50 and the network 45 may be accomplished analogously.

The network, shown generally at 45, includes both public and privatetelecommunications networks connected by traditional electrical,optical, electro-acoustical (DTMF) or by other wireless means. Anymutually agreed upon communications protocol capable of encapsulatingAPDU commands may be employed to establish a communications pipeincluding open or secure communications protocols.

Referring now to FIG. 2, depicts initiating a communications pipebetween the Remote Computer System 50 and the PSD 40 connected to aClient 10. In this depiction, the Remote Computer System 50 is sending arequest to PSD 40 for non-proprietary embedded information 35, forexample an identification number. PSD 40 is connected 30 to the localClient 10 using PSD Interface 25. PSD Interface 25 communicates with theClient 10 via hardware device port 5.

To initiate a communications pipe between Remote Computer System 50 andPSD 40, the Remote Computer System 50 generates a request 200 by way ofAPI programs 100 which is translated into APDU format 220 by the APDUInterface 55 and sent to the Pipe Server 70 for message encapsulation.The encapsulated APDUs are then sent 210 to the Communications Programs105S for incorporation into outgoing message packets 230.

The message packets 230 containing the encapsulated APDUs aretransmitted 75 over the network 45 via a Network Interface Card (I/O)130S. The Client 10 receives the message packets 240 containing theencapsulated APDUs which are received from the network 45 via a NetworkInterface Card (I/O) 130C installed on the local Client. The incomingmessages are processed by Client-side Communications Programs 105C androuted 250 into the Pipe Client 15 for APDU extraction. The extractedAPDUs are sent 260 through hardware device port 5, routed 270 into thePSD Interface 25 and sent to PSD 40 via connection 30 for processingwithin PSD domain 35.

Alternative requests to form a communications pipe 75 between a RemoteComputer System 50 and a PSD 40 may be initiated by Client 10 requestingaccess to information contained on one or more networked local Clients,by connecting a PSD 40 to PSD Interface 25 which initiates a request toform a communications pipe 75, or by another Remote Computer Systemrequesting access to PSD 40.

Referring now to FIG. 3, depicts a PSD response which establishes thecommunications pipe between PSD 40 and Remote Computer System 50. Inthis depiction, the request previously received is processed within thePSD domain 35, which generates a response message. The PSD response issent in APDU format from PSD 40 through connection 30 and into PSDinterface 25. The PSD response is then routed 370 through hardwaredevice port 5 and sent 360 to the Pipe Client 15 for processing andencapsulation. The resulting message packets are then sent 350 to theClient-side Communications Programs 105C for incorporation into outgoingmessage packets 340. The message packets 340 containing the encapsulatedAPDUs are transmitted 75 over the network 45 via the Network InterfaceCard (I/O) 130C.

The Remote Computer System 50 receives the message packets 330containing the encapsulated APDUs, which are received from the network45 via the Network Interface Card (I/O) 130S installed on the RemoteComputer System. The incoming messages are processed by server-sideCommunications Programs 105S and routed 310 into the Pipe Server 70 forAPDU extraction. The extracted APDUs are sent 320 to the APDU Interface55 for processing and translation into a higher-level format and sent300 to API Level programs 100 for processing and further transactionswith the PSD 40 if desired.

5.2. Detailed Description of a Second Embodiment of the Invention

Referring now to FIG. 4A, a generalized system block diagram of oneimplementation of a secure communications pipe is shown. The generalsystem block diagram includes an additional software-based CryptographyModule 470 installed on the Remote Computer System, which is not shownin FIG. 1.

FIG. 4B depicts an alternative to using software-based securitymechanisms. In this alternative embodiment of the invention, a HardwareSecurity Module (HSM) 440 is employed to perform cryptographicfunctions. To access the HSM, a software driver referred to as an HSMS/W Interface 475, is included in the API Layer 100. The HSM softwaredriver communicates with a physical device interface included in thePhysical Device Layer 130. The physical device interface is installed onthe I/O bus of the Remote Computer System, and is referred to as an HSMH/W Interface 485. The HSM module 440 is connected 430 to the HSM H/WInterface a manner analogous to the PSD connection to the PSD Interfacepreviously described. The use of HSM technologies provides end-to-endsecurity, which further reduces the possibility of unauthorizeddisclosure of cryptographic or sensitive information.

Both APDU messaging security mechanisms shown in FIGS. 4A & 4B are usedto generate cryptographic keys necessary to unlock secure functions anddata contained within the secure domain of a PSD, encrypt outgoing APDUsand decrypt incoming encrypted APDUs. The security mechanisms employedin generating a secure pipe may include synchronous, asynchronous or anycombination of cryptography methods.

Secure communications protocols used to communicate over a network areaccomplished by the Communications Programs contained within theCommunications Layers 105. Cryptography used in generating securecommunications may employ the security mechanisms described for APDUmessaging, employ separate mechanisms or employ any combination thereof.

Referring now to FIG. 5, depicts the initiating of a secure pipe betweenthe Remote Computer System and the PSD 40 connected to Client 10. Inthis depiction, Remote Computer System 50 is sending a secure request toPSD 40 for proprietary embedded information 35, for example anauthentication password. PSD 40 is connected 30 to the local Client 10using PSD Interface 25. PSD Interface 25 communicates with the Client 10via hardware device port 5.

To initiate a secure communications pipe between Remote Computer System50 and PSD 40, a request 500 is generated on Remote Computer System 50to access PSD 40 by way of API programs 100 which are translated intoAPDU format by the APDU Interface 55. The APDUs are then sent 520 to aSecurity Module 525 for encryption using a pre-established cryptographymethod. The proper cryptographic parameters may be determined by using alook-up table or database, which cross-references the PSD's uniqueinternal identification information with one or more codes necessary toimplement the appointed cryptography method.

The encrypted APDUs are then routed 510 to the Pipe Server 70 formessage encapsulation. The encapsulated APDUs are then sent 530 to theCommunications Programs 105 for processing, encryption using apre-established secure communications protocol and incorporation intooutgoing message packets 535. The secure message packets 535 containingthe encrypted and encapsulated APDUs are transmitted 75 over the network45 via a Network Interface Card (I/O) 130S.

The Client 10 receives the message packets 540 containing the encryptedand encapsulated APDUs which are received from the network 45 via aNetwork Interface Card (I/O) 130C installed on the local Client 10.

The incoming encrypted message packets are decrypted and processed usingthe pre-established cryptography employed in the secure communicationsprotocol by Client-side Communications Programs 105C. The unencryptedmessage packets still containing the encrypted APDUs are routed 550 intothe Pipe Client 15 for APDU extraction. The extracted APDUs are sent 560through hardware device port 5, routed 570 into the PSD Interface 25 andsent to PSD 40 via connection 30 for decryption and processing withinthe secure domain 35 of the PSD 40. Using a pre-established cryptographymethod, incoming secure APDUs are decrypted and requests processed.

Referring now to FIG. 6, depicts a PSD secure response, whichestablishes the secure communications pipe between PSD 40 and RemoteComputer System 50. In this depiction, the secure request previouslyreceived is processed within the secure domain 35 of the PSD 40, whichcauses the PSD to generate a secure response message using apre-established cryptography method.

The PSD secure response is sent in APDU format from PSD 40 throughconnection 30 and into PSD interface 25. The PSD secure response is thenrouted 670 through hardware device port 5 and sent 660 to the PipeClient 15 for processing and encapsulation. The resulting messagepackets are then sent 650 to the Client-side Communications Programs 105for processing, encryption using a pre-established secure communicationsprotocol and incorporation into outgoing message packets 640. Themessage packets 640 containing the encapsulated APDUs are transmitted 75over the network 45 via the Network Interface Card (I/O) 130C.

The Remote Computer System 50 receives the message packets 635containing the encapsulated APDUs from the network 45 via the NetworkInterface Card (I/O) 130S installed on the Remote Computer System 50.The incoming messages are processed and decrypted using thepre-established cryptography method employed in the securecommunications protocol by the server-side Communications Programs 105and routed 610 into the Pipe Server 70 for secure APDU extraction. Theextracted secure APDUs are sent 630 to the Security Module 525 fordecryption of the secure APDUs using the pre-established cryptographymethod. The decrypted APDUs are then routed 620 to the APDU Interface 55for processing and translation into a higher-level format and sent 600to API programs 100 for processing and further transactions with the PSD40 if desired. This step establishes the secure “pipe” to communicatewith the PSD. The secure pipe is maintained until the Remote ComputerSystem signals the Client to close the hardware interface port 5.

No limitation is intended in the number of PSDs and Clients formingsecure pipes 75 with one or more Remote Computer System(s) 50, norshould any limitation on the number of Remote Computer Systems 50available for generating secure pipes 75 be construed from the drawings.Lastly, no limitation is intended concerning the initiating event toestablish a communications pipe.

The foregoing described embodiments of the invention are provided asillustrations and descriptions. They are not intended to limit theinvention to precise form described. In particular, it is contemplatedthat functional implementation of the invention described herein may beimplemented equivalently in hardware, software, firmware, and/or otheravailable functional components or building blocks. Other variations andembodiments are possible in light of above teachings, and it is notintended that the scope of the invention be limited by this DetailedDescription, but rather by the Claims following herein.

1. A method for establishing a communications pipe between at least onepersonal security device (PSD) and at least one Remote Computer Systemover a network using at least one Client as a host to said at least onePSD, said at least one Client and said at least one Remote ComputerSystem being in functional communications using a packet-basedcommunications protocol over said network, said method comprising:generating, retrieving or receiving, in said at least one RemoteComputer System, an Application Protocol Data Unit (APDU) requestmessage, encapsulating, in said at least one Remote Computer System,said APDU request message with said packet-based communicationsprotocol, thus producing an encapsulated APDU request message,transmitting said encapsulated APDU request message, using saidpacket-based communications protocol, from said at least one RemoteComputer System to said at least one Client via said network,extracting, in said at least one Client, said APDU request message fromsaid encapsulated APDU request message, transmitting said APDU requestmessage from said at least one Client to said at least one PSD,processing, in said at least one PSD, said APDU request message, thusproducing a APDU response message, transmitting said APDU responsemessage from said at least one PSD to said at least one Client,encapsulating, in said at least one Client, said APDU response messagewith said packet-based communications protocol, thus producing anencapsulated APDU response message, transmitting said encapsulated APDUresponse message, using said packet-based communications protocol, fromsaid at least one Client to said at least one Remote Computer System viasaid network, extracting, in said at least one Remote Computer System,said APDU response message from said encapsulated APDU response message,and processing said APDU response message in said at least one RemoteComputer System.
 2. The method according to claim 1, further comprising:encrypting said APDU request message in said at least one RemoteComputer System, decrypting said APDU request message in said at leastone PSD, encrypting said APDU response message in said at least one PSD,and decrypting said extracted PSD formatted APDU response message insaid at least one Remote Computer System.
 3. The method according toclaim 2, wherein said at least one PSD comprises unique identificationinformation, further comprising, cross-referencing said uniqueidentification information with a look-up table in order to selectproper cryptography for encrypting or decrypting said APDU requestmessage or said APDU response message.
 4. The method according to claim1, further comprising, initiating said communications pipe automaticallyupon connection of said at least one PSD to said at least one Client. 5.The method according to claim 1, further comprising, initiating saidcommunications pipe upon an initial request generated by said at leastone Client.
 6. The method according to claim 1, comprising, initiatingsaid communications pipe upon an initial request generated by at leastone networked Remote Computer System.
 7. The method according to claim1, further comprising, establishing said communications pipe in thebackground.
 8. The method according to claim 1, wherein said APDUmessages are application protocol data unit (APDU) formatted messages.9. The method according to claim 1, further comprising, generating orretrieving, in said at least one Remote Computer System, a request toaccess said at least one PSD, said request being in a high-levelmessaging format, converting, in said at least one Remote ComputerSystem, said request from said high-level messaging format to a requestmessage which is an APDU so as to generate said APDU request message,converting, in said at least one Remote Computer System, said APDUresponse message into a high-level response message.
 10. The methodaccording to claim 9, wherein said high-level messaging format is anapplications programming interface (API) level format.
 11. The method ofclaim 1, wherein each of the APDU request message and the APDU responsemessage is doubly encapsulated for communication between the RemoteComputer System and the Client.
 12. A Client for establishing acommunications pipe between at least one personal security device (PSD)and at least one Remote Computer System over a network using said Clientas a host to said at least one PSD, wherein said Client and said atleast one Remote Computer System are in functional communications usinga packet-based communications protocol over said network, said Clientcomprising: a PSD interface section that functionally connects said atleast one PSD to said Client, a Client communications section thattransmits and receives messages over said network using saidpacket-based-communications protocol, a Client processing sectioncomprising: a first section that receives incoming message packets oversaid network using said Client communications section, extracts incomingApplication Protocol Data Unit (APDU) messages from said incomingmessage packets, and transmits said incoming APDU messages to said PSDthrough said PSD interface section, and a second section that receivesoutgoing APDU messages coming from said PSD through said PSD interface,encapsulates said outgoing APDU messages into outgoing message packets,and transmits said outgoing message packets over said network using saidClient communications section.
 13. A Remote Computer System forestablishing a communications pipe between at least one personalsecurity device (PSD) and said Remote Computer System over a networkusing a Client as a host to said at least one PSD, wherein said Clientand said at least one Remote Computer System are in functionalcommunications using a packet-based communications protocol over saidnetwork, said Remote Computer System comprising: a Remote ComputerSystem communications section that transmits and receives messages oversaid network using said packet-based-communications protocol, a firstRemote Computer System data processing section comprising: a firstsection that receives incoming message packets over said network usingsaid Remote Computer System communications section and extracts incomingApplication Protocol Data Unit (APDU) messages from said incomingmessage packets, and a second section that encapsulates means forencapsulating outgoing APDU messages into outgoing message packets andtransmits said outgoing message packets over said network using saidRemote Computer System communications section.
 14. The Remote ComputerSystem according to claim 13 further comprising a second Remote ComputerSystem data processing section that implements high level programs, athird Remote Computer System data processing section that converts APDUmessages into high-level messages and wherein said first Remote ComputerSystem data processing section further comprises, a first section thattransmits said incoming APDU messages to said second Remote ComputerSystem data processing section through said third Remote Computer Systemdata processing section, a second section that receives outgoing APDUmessages coming from said second Remote Computer System data processingsection through said third Remote Computer System data processingsection.
 15. The Remote Computer System according to claim 13, whereinsaid incoming APDU messages are to be decrypted and said outgoing APDUmessages are to be encrypted, further comprising a cryptographic sectionthat decrypts said incoming APDU messages and encrypts said outgoingAPDU messages.
 16. The Remote Computer System according to claim 15,wherein said cryptographic section comprises a Hardware Security Module.17. A system for the establishment of a communications pipe, the systemcomprising at least one Client and at least one Remote Computer System,wherein: the Client establishes a communications pipe between at leastone personal security device (PSD) and the at least one Remote ComputerSystem over a network using said Client as a host to said at least onePSD, said Client comprising: a PSD interface section that functionallyconnects said at least one PSD to said Client, a Client communicationssection that transmits and receives messages over said network using apacket-based-communications protocol, a Client processing sectioncomprising: a first section that receives incoming message packets oversaid network using said Client communications section, extracts incomingApplication Protocol Data Unit (APDU) messages from said incomingmessage packets, and transmits said incoming APDU messages to said PSDthrough said PSD interface section, and a second section that receivesoutgoing APDU messages coming from said PSD through said PSD interface,encapsulates said outgoing APDU messages into outgoing message packets,and transmits said outgoing message packets over said network using saidClient communications section; the Remote Computer System forestablishing a communications pipe between the at least one PSD and saidRemote Computer System over the network, said Remote Computer Systemcomprising: a Remote Computer System communications section thattransmits and receives messages over said network using thepacket-based-communications protocol, a first Remote Computer Systemdata processing section comprising: a third section that receivesincoming message packets over said network using said Remote ComputerSystem communications section and extracts incoming APDU messages fromsaid incoming message packets, and a fourth section that encapsulatesoutgoing APDU messages into outgoing message packets and transmits saidoutgoing message packets over said network using said Remote ComputerSystem communications section; and the at least one Remote ComputerSystem is functionally connected to said at least one Client throughsaid network.
 18. The system according to claim 17, further comprisingat least one PSD comprising: a connecting section that functionallyconnects said at least one PSD to said PSD interface section, a PSDcommunications section that transmits and receives APDU messages throughsaid PSD interface section, and a PSD processing section that interpretsincoming APDU messages, executes commands included in said incoming APDUmessages and transmits outgoing APDU messages through said PSD interfaceusing said PSD communications section.
 19. A system for theestablishment of a communications pipe, the system comprising at leastone Client and at least one Remote Computer System, wherein: the Clientestablishes a communications pipe between at least one personal securitydevice (PSD) and the at least one Remote Computer System over a networkusing said Client as a host to said at least one PSD, said Clientcomprising: a PSD interface section that functionally connects said atleast one PSD to said Client, a Client communications section thattransmits and receives messages over said network using apacket-based-communications protocol, a Client processing sectioncomprising: a first section that receives incoming message packets oversaid network using said Client communications section, extracts incomingApplication Protocol Data Unit (APDU) messages from said incomingmessage packets, and transmits said incoming APDU messages to said PSDthrough said PSD interface section, and a second section that receivesoutgoing APDU messages coming from said PSD through said PSD interface,encapsulates said outgoing APDU messages into outgoing message packets,and transmits said outgoing message packets over said network using saidClient communications section; the Remote Computer System forestablishing a communications pipe between the at least one PSD and saidRemote Computer System over the network, said Remote Computer Systemcomprising: a Remote Computer System communications section thattransmits and receives messages over said network using thepacket-based-communications protocol, a first Remote Computer Systemdata processing section comprising: a third section that receivesincoming message packets over said network using said Remote ComputerSystem communications section and extracts incoming APDU messages fromsaid incoming message packets, and a fourth section that encapsulatesoutgoing APDU messages into outgoing message packets and transmits saidoutgoing message packets over said network using said Remote ComputerSystem communications section; a second Remote Computer System dataprocessing section that implements high level programs, a third RemoteComputer System data processing section that converts APDU messages intohigh-level messages and wherein said first Remote Computer System dataprocessing section further comprises, a fifth section that transmitssaid incoming APDU messages to said second Remote Computer System dataprocessing section through said third Remote Computer System dataprocessing section, a sixth section that receives outgoing APDU messagescoming from said second Remote Computer System data processing sectionthrough said third Remote Computer System data processing section; andthe at least one Remote Computer System is functionally connected tosaid at least one Client through said network.
 20. The system accordingto claim 19, further comprising at least one PSD comprising: aconnecting section that functionally connects said at least one PSD tosaid PSD interface section, a PSD communications section that transmitsand receives encrypted APDU messages through said PSD interface section,a PSD cryptographic section that decrypts encrypted incoming APDUmessages and encrypts outgoing APDU messages, and a PSD processingsection that interprets said decrypted incoming APDU messages, executescommands included in said decrypted incoming APDU messages, andgenerates outgoing APDU messages to be encrypted by said PSDcryptographic section and transmitted through said PSD interface usingsaid PSD communications section.